The Encryption Checklist Most Companies Get Half Right

Encryption is one of those controls that every company thinks they have covered — until an auditor starts asking questions. Most teams encrypt data at rest using their cloud provider's default settings, check the box, and move on. But SOC 2 and ISO 27001 auditors are looking for a lot more than that.

Here's the encryption checklist that separates companies that pass their first audit from those that scramble to remediate in the final weeks.

1. Encryption at Rest — The Basics Everyone Gets Right

Yes, you need to encrypt data at rest. AWS S3 server-side encryption, Azure Storage Service Encryption, Google Cloud Storage encryption — these are table stakes. If you're using a major cloud provider and haven't turned these on, do it today.

• •S3 buckets: SSE-S3 or SSE-KMS enabled
• •RDS databases: encryption enabled at creation (cannot be added later)
• •EBS volumes: encrypted
• •Backups: encrypted with the same or stronger key management

2. Encryption in Transit — Where Most Companies Fall Short

This is where auditors start finding gaps. Encrypting data in transit means more than just having an SSL certificate on your public-facing website.

• •TLS 1.2 minimum everywhere — TLS 1.0 and 1.1 must be disabled
• •Internal service-to-service communication encrypted (not just external)
• •Database connections using SSL/TLS (check your connection strings)
• •API calls to third-party services over HTTPS only
• •Email containing sensitive data encrypted in transit (STARTTLS or S/MIME)

The most common gap we find: internal microservices communicating over HTTP because "it's inside the VPC." Auditors will ask about this. The answer "it's internal" is not sufficient for SOC 2 or ISO 27001.

3. Key Management — The Part Nobody Wants to Think About

Encryption is only as strong as your key management. If your encryption keys are stored in the same place as your encrypted data, you haven't actually protected anything.

• •Use a dedicated key management service (AWS KMS, Azure Key Vault, Google Cloud KMS, HashiCorp Vault)
• •Separate key management from data storage
• •Implement key rotation — at minimum annually, ideally more frequently
• •Document who has access to encryption keys and why
• •Log all key usage and access attempts

Key Rotation: The Requirement Everyone Ignores

SOC 2 and ISO 27001 both require documented key rotation procedures. Most companies have no rotation policy at all. AWS KMS can automate annual rotation for symmetric keys — enable it. For asymmetric keys and certificates, you need a manual process and a calendar reminder.

4. Encryption of Sensitive Data Fields — Not Just Storage

Encrypting your S3 bucket doesn't mean the sensitive fields inside your database are encrypted. Auditors will ask about field-level encryption for particularly sensitive data.

• •PII fields (SSN, passport numbers, financial account numbers)
• •Authentication credentials (passwords must be hashed, not encrypted)
• •API keys and secrets stored in your database
• •Health information (PHI) if you're subject to HIPAA

"We found a company that had full disk encryption on their RDS instance but was storing credit card numbers in plaintext in a separate MySQL table on an EC2 instance. The disk encryption was irrelevant — the data was exposed." — Careful Security Penetration Test Finding

5. Certificate Management — The Silent Killer

Expired TLS certificates cause outages and audit findings. More importantly, they indicate a lack of process — which is exactly what auditors are looking for.

• •Inventory all certificates and their expiration dates
• •Set up automated renewal where possible (Let's Encrypt, AWS Certificate Manager)
• •Alert on certificates expiring within 30 days
• •Document the renewal process for certificates that can't be automated
• •Include certificate management in your change management process

6. What Auditors Actually Check

When a SOC 2 or ISO 27001 auditor reviews your encryption controls, here's what they're actually looking at:

1. 1.Your encryption policy — does it exist, is it comprehensive, is it enforced?
2. 2.Evidence that encryption is enabled on all in-scope systems
3. 3.Key management documentation and rotation logs
4. 4.TLS configuration scans (they'll run their own)
5. 5.Certificate inventory and renewal procedures
6. 6.Any exceptions or compensating controls for systems that can't be encrypted

The Bottom Line

Encryption is not a checkbox — it's a program. Companies that pass their first SOC 2 or ISO 27001 audit have documented policies, consistent implementation across all systems, and evidence to prove it. Companies that fail are usually missing one of the items above.

If you're not sure where your gaps are, a pre-audit assessment will find them before the auditor does. That's always a better outcome.